A newly disclosed safety flaw impacting NGINX Plus and NGINX Open has come below lively exploitation within the wild, days after its public disclosure, in keeping with VulnCheck.
The vulnerability, tracked as CVE-2026-42945 (CVSS rating: 9.2), is a heap buffer overflow in ngx_http_rewrite_module affecting NGINX variations 0.6.27 via 1.30.0. In keeping with AI-native safety firm depthfirst, the vulnerability was launched in 2008.
Profitable exploitation of the flaw can allow an unauthenticated attacker to crash employee processes or execute distant code with crafted HTTP requests. Nonetheless, it bears noting that code execution is feasible solely on gadgets the place Handle Area Format Randomization (ASLR), a safeguard towards memory-based assaults, is turned off.
“It depends on a selected NGINX config to be weak, and for an attacker to know or uncover the config to take advantage of it,” safety researcher Kevin Beaumont mentioned. “To achieve RCE [remote code execution], additionally ASLR must have been disabled on the field.”
In the same evaluation, AlmaLinux maintainers mentioned: “Turning the heap overflow into dependable code execution shouldn’t be trivial within the default configuration, and on programs with ASLR enabled (which is the default on each supported AlmaLinux launch), we don’t count on a generic, dependable exploit to be simple to provide.”
“That mentioned, ‘not simple’ shouldn’t be ‘unimaginable,’ and the worker-crash DoS is exploitable sufficient by itself that we advocate treating this as pressing,” the maintainers added.
The newest findings from VulnCheck present that risk actors have begun to weaponize the flaw, with exploitation makes an attempt detected towards its honeypot networks. The character of the assault exercise and the tip targets are presently unknown. Customers are suggested to use the most recent fixes from F5 to safe their networks towards lively threats.
Flaws in openDCIM Additionally Exploited
The event comes as VulnCheck additionally revealed exploitation efforts concentrating on two important flaws in openDCIM, an open-source utility used for information middle infrastructure administration. The vulnerabilities, each rated 9.3 on the CVSS scoring system, are listed under –
- CVE-2026-28515 – A lacking authorization vulnerability that might enable an authenticated consumer to entry LDAP configuration performance no matter their assigned privileges. In Docker deployments the place REMOTE_USER is ready with out authentication enforcement, the endpoint could also be reachable with out credentials, permitting unauthorized modification of utility configuration.
- CVE-2026-28517 – An working system command injection vulnerability impacting the “report_network_map.php” part that processes a parameter referred to as “dot” with out sanitization and passes it on to a shell command, leading to arbitrary code execution.
The 2 vulnerabilities have been found alongside CVE-2026-28516 (CVSS rating: 9.3), an SQL injection vulnerability in openDCIM, by VulnCheck safety researcher Valentin Lobstein in February 2026. In keeping with Lobstein, the three flaws will be chained to realize distant code execution over 5 HTTP requests and spawn a reverse shell.
“The cluster of attacker exercise we’re observing up to now originates from a single Chinese language IP and makes use of what seems to be a personalized implementation of AI vuln discovery software Vulnhuntr to robotically verify for weak installations earlier than dropping a PHP net shell,” Caitlin Condon, vp of safety analysis at VulnCheck, mentioned.
